Yesterday, Cybersecurity company UpGuard announced that a misconfigured cloud-based data repository exposed the personal data of millions of Verizon customers who had called Verizon customer support during the past six months. The exposed data included customer names, street and email addresses, phone numbers and PINs. The PIN exposure is especially troubling. If you called Verizon customer support this year, you should change your PIN immediately. This is especially true if you use your Verizon PIN to access other accounts.
The cloud server was operated by Nice Systems, a third-party vendor that handles customer service operations for Verizon. UpGuard Director of Cyber Risk Research Chris Vickery discovered the unprotected server on June 8 and the company notified Verizon of the problem on June 13. Nine days went by before the breach was closed on June 22. It is unknown how long the breach was open before Vickery found it.
Upguard estimated that data from 14 million customers was exposed. Verizon verified that the breach had taken place and claimed exposure was limited to 6 million customers.
Exposure of customer PIN numbers is dangerous for several reasons. First, it gives malicious actors direct access to a customer’s Verizon account. Even more troubling, it allows someone to hijack a Verizon phone account which in turn could be used to circumvent two-factor authentication. These problems are magnified for customers who use the same PIN for multiple accounts. Every account that shares the Verizon PIN should be considered as compromised.